Complain about a product or service

GAO: IRS Still Not Doing Enough to Secure Data

By Martin H. Bosworth
ConsumerAffairs.com

April 2, 2007

Income Tax • IRS Makes 'Free File' Available Again • IRS Alerts Public To New Identity Theft Scams • In Search Of Revenue, Feds May Look To Consumers • IRS To Beef Up Ranks After Canceling Private Debt Collection • Taxpayers Filing Earlier This Year • IRS Offers Help to Financially Stressed Taxpayers • IRS Faulted for Lax Identity Theft Protection Efforts • IRS Loses Nearly 500 Computers Over Three Years • GAO: IRS Still Not Doing Enough to Secure Data • Taxpayer Advocate Targets IRS Collection Policies • IRS Scales Back Outsourcing Plans • December is Tax-Prep Time • IRS Has Refunds for 95,746 "Missing" Taxpayers • GAO: IRS Needs More Oversight of Private Debt Collectors • IRS Gives Away Millions Due To Failed Software Upgrade • New IRS Online Payment System Raises Privacy Fears • Taxpayers Can Get an Automatic Six-Month Filing Extension • April 15th Should Be Just Another Day, Taxpayer Groups Argue • "Tax Freedom Day" Three Days Late This Year • Senators Push for Electronic Tax Filing • Paying Taxes With Your Credit Card Can Get Expensive • GAO Finds Tax Preparers Prone to Error • Consumer Group to Taxpayers: Don�t Borrow Your Own Money • States Oppose IRS Plan to Loosen Privacy Rules on Taxpayers' Returns • More ...

As tax time looms, a new report by the Government Accountability Office (GAO) found that the Internal Revenue Service (IRS) has made "limited progress" in addressing significant security vulnerabilities, but many weaknesses "continue to threaten the confidentiality, integrity, and availability of IRS’s financial and tax processing systems and information."

The GAO cited the IRS' failure to implement its information security program as a "primary reason" for the continued vulnerabilities.

"Until [the] IRS fully implements an agencywide information security program that includes...security plans, training, adequate tests and evaluations, and a continuity of operations process for all major systems, the financial and sensitive taxpayer information on its systems will remain vulnerable," the GAO said.

Among the GAO's findings:

• The IRS did not perform enough oversight of ensuring only authorized personnel had access to its systems. The GAO found evidence of personnel sharing usernames and passwords to access a database production server for the IRS' procurement system.

• The IRS often granted users more access than necessary for performing their duties to systems, and did not adequately police usage or receipt of anonymous e-mails, which increases the vulnerability to phishing scams.

• Physical security vulnerabilities at examined IRS offices included leaving the server for a procurement database in a cubicle, rather than a secured office, and handing out secure access cards to more employees than were necessary.

The GAO previously reported in March 2006 that the IRS had gaping holes in its security practices, such as leaving passwords for computers available for anyone to read, failing to verify photo identification of visitors as IRS employees, and not providing proper oversight and training for contractors in its employ.

The new report did note improvements on some of these fronts, such as improving password storage and creation policies, increased audits and monitoring for mainframe and Windows machines, and increased training for employees and contractors, particularly in the event of disaster.

IRS Commissioner Mark Everson acknowledged the failures of the IRS to provide a comprehensive security plan in his response to the report, but defended the steps the agency took, as he did last year.

"The IRS takes its security and privacy responsibilities seriously," Everson said. "While we have made significant progress, we recognize that continued diligence is required."

The GAO report comes on the heels of new evidence that the IRS is faltering in its ability to fill the "tax gap" of uncollected and underreported tax payments. National Taxpayer Advocate Nina Olson reported to Congress in January that noncompliance in tax collection forced compliant taxpayers to shoulder more of the burden. Many issues with taxpayer debt could be avoided through earlier negotiation with taxpayers, rather than waiting for debts to accrue interest and penalties, Olson said.

The IRS had planned to outsource data collection functions to an outside company, IAP World Services, as part of a large-scale privatization program, but eventually reduced the breadth of the program after IAP admitted it would not have many of the data centers ready in time for the upcoming tax season, and to ensure that the new employees would be properly trained.

The full GAO report is available as a PDF document.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Follow us on Twitter.

Back to the top |